New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
SPF - Best TXT record to prevent spoofing when using GAPPS/GSuite for email
I have a few domains - all using Google/G-Suite for the email hosting.
All are setup w/SPF & DKIM. (edit - also have dmarc set. And postmaster & abuse addressed to google in my groups setup in Gapps).
On occasion, I receive an email that has been spoofed to look like it came "via" from my domain name. (it hasn't but surprised it gets through many mx servers - which apparently don't have their servers locked down).
The txt record I am using (per google) is:
"v=spf1 include:_spf.google.com ~all"
Since Google is handling email in both directions (all 5 MX records point to google) would this be better syntax?
v=spf1 +a -all include:_spf.google.com ~all
or possibly
v=spf1 a:MYDOMAINEXAMPLE.com -all include:_spf.google.com ~all
Comments
The spoofed mail should actually land in your SPAM... and if it does, I don't think there is anything else to be done.
It's not landing in my spam folder in gmail.
Background: For further clarity, I have the unused domains forwarding email to a personal gmail.com address.
Here is how one (though all of the spoofed emails have a similar "via") appears in my personal gmail.
Daily Tip claimantATscamscamDOTc0m via MYSPOOFEDDOMAIN dot c0m
I removed the "< >" above as it would not display properly on the page
(I am no SPF/DKIM expert) but AFAIK, there should only be one [+-~]all keyword and it is typically at the END.
I'd suggest flipping the ~all to a -all since you are using G(Mail/Apps/Suite/Whatever) (and only Google etc.) to SEND emails as well (and of course this doesn't appear to be obviously documented anywhere in the Google help sites but it is valid and correct).
The SPF/DKIM experts can chime in with their $0.02.
Also, I'd suggest using any one of the SPF validators out there to ensure that your SPF record is syntactically correct/valid (etc.).
HTH.
Edit: corrected formatting issues.
Are you using a paid GAPPS account or free?
If you what major email provider (Gmail Hotmail Yahoo) and other servers which supports dmarc to reject email from your domain which fails SPF or dkim you can add a dmarc txt record to your domain dns set to reject.
One of the downside are all your legit email sent via you domain needs to pass SPF and dkim check or it could get rejected.
It's a "legacy" account :-).
This "via" spoofing occurred (in spurts) years before G stopped providing the free service and switched to G Suite. It also occurred even when I used the -all instead of the tidal.
Reason I bring it up now, I'm close to using one of the domains and want to have the email buttoned down as much as possible.
To the best of my knowledge, this does NOT affect my domains email rank nor are they blacklisted.
It's more a way to prevent my "brand" (the domain name) from (even if wrongfully) being associated with BS email sales pitches.
FYI: Even if you never use a domain for email, per research, you should use an SPF qualifier to hasten spoofing. A simple "v=spf1 -all"
I didn't mention dmarc but that was/is setup
"v=DMARC1; p=reject; adkim=s; rua=mailto:xxxxxx123ATgmail; ruf=mailto:xxxxxx123ATgmail; pct=100"
I also have postmaster & abuse addresses setup in the group section of gapps.